#000: How New IoT Security Regulations Will Shape the Industry's Future
09/17/24 • 63 min
In today's Coredump Session, Memfault’s François Baldassari and Chris Coleman unpack the sweeping impact of new IoT security regulations like the CRA and the Cyber Trust Mark. From shocking real-world exploits to smart compliance strategies, they explore what these changes mean for hardware teams and the future of connected devices. If you ship firmware or build IoT products, this one’s essential listening.
Key takeaways:
- IoT security is no longer optional—new regulations like the CRA and Cyber Trust Mark make it mandatory.
- Most connected devices today are still dangerously undersecured, with outdated stacks and poor OTA support.
- Open source platforms like Zephyr can make compliance easier by pooling security resources across companies.
- OTA (over-the-air) updates are now a requirement in both US and EU regulations.
- The CRA introduces SBOM (Software Bill of Materials) requirements to track vulnerabilities in dependencies.
- Observability, encryption, and secure boot need to be built in from the start—not as last-minute add-ons.
- Compliance will vary based on device criticality, but self-certification will be the norm for most companies.
- Ignoring security costs more in the long run—both in reputation and risk.
Chapters:
00:00 Episode Teasers & Intro
01:03 Meet the Hosts: François and Chris from Memfault
03:40 Why IoT Security Is Still So Behind
07:15 Vulnerabilities, Legacy Chips, and Who’s to Blame
10:12 Wireless Protocols: Still a Huge Attack Surface
13:28 If You Ship Without OTA, You're Asking for Trouble
20:50 Introducing the CRA and Cyber Trust Mark
23:38 What the CRA Actually Requires
31:45 Reconciling Security Monitoring with GDPR
34:07 Cyber Trust Mark vs CRA: US vs EU Approaches
41:05 What You Can Do Today to Prepare
46:33 How Long Do You Have to Support a Device?
52:19 Attack Surfaces: Even a Projector Isn't Safe
56:06 Lifecycle Support and Product Lifespan Realities
58:51 Observability in Low-Resource Devices
1:00:34 Connected Architectures & Multichip Compliance
1:01:43 IoT Devices with Limited Bandwidth & OTA Constraints
Watch this episode on YouTube
Follow Memfault
Other ways to listen:
In today's Coredump Session, Memfault’s François Baldassari and Chris Coleman unpack the sweeping impact of new IoT security regulations like the CRA and the Cyber Trust Mark. From shocking real-world exploits to smart compliance strategies, they explore what these changes mean for hardware teams and the future of connected devices. If you ship firmware or build IoT products, this one’s essential listening.
Key takeaways:
- IoT security is no longer optional—new regulations like the CRA and Cyber Trust Mark make it mandatory.
- Most connected devices today are still dangerously undersecured, with outdated stacks and poor OTA support.
- Open source platforms like Zephyr can make compliance easier by pooling security resources across companies.
- OTA (over-the-air) updates are now a requirement in both US and EU regulations.
- The CRA introduces SBOM (Software Bill of Materials) requirements to track vulnerabilities in dependencies.
- Observability, encryption, and secure boot need to be built in from the start—not as last-minute add-ons.
- Compliance will vary based on device criticality, but self-certification will be the norm for most companies.
- Ignoring security costs more in the long run—both in reputation and risk.
Chapters:
00:00 Episode Teasers & Intro
01:03 Meet the Hosts: François and Chris from Memfault
03:40 Why IoT Security Is Still So Behind
07:15 Vulnerabilities, Legacy Chips, and Who’s to Blame
10:12 Wireless Protocols: Still a Huge Attack Surface
13:28 If You Ship Without OTA, You're Asking for Trouble
20:50 Introducing the CRA and Cyber Trust Mark
23:38 What the CRA Actually Requires
31:45 Reconciling Security Monitoring with GDPR
34:07 Cyber Trust Mark vs CRA: US vs EU Approaches
41:05 What You Can Do Today to Prepare
46:33 How Long Do You Have to Support a Device?
52:19 Attack Surfaces: Even a Projector Isn't Safe
56:06 Lifecycle Support and Product Lifespan Realities
58:51 Observability in Low-Resource Devices
1:00:34 Connected Architectures & Multichip Compliance
1:01:43 IoT Devices with Limited Bandwidth & OTA Constraints
Watch this episode on YouTube
Follow Memfault
Other ways to listen:
Next Episode
#001: The future of Bluetooth connectivity with Blecon Founder, Simon Ford
In today’s Coredump Session, we unpack the full story of Bluetooth—from its PDA-era beginnings to its rising role in cloud-connected devices. With insights from Memfault’s Chris Coleman and François Baldassari, along with Blecon’s Simon Ford, this wide-ranging conversation explores how Bluetooth Low Energy has evolved, where it thrives (and doesn’t), and why it’s often the right tool, even if it’s not a perfect one. Expect history, hot takes, and practical guidance for building better Bluetooth-powered products.
Key Takeaways:
- Bluetooth Low Energy (BLE) and Bluetooth Classic are fundamentally different—and BLE was never just a “lite” version.
- BLE's strength lies in its low power consumption and quick connection setup, making it ideal for peripheral devices that sleep most of the time.
- Use cases like audio, asset tracking, and cloud sync continue to shape BLE’s evolution, and new specs like LE Audio and PAwR are expanding its reach.
- Bluetooth wins not because it’s perfect—but because it’s practical: globally adopted, low-cost, and well-supported.
- Debugging Bluetooth at scale requires collecting connection parameters, analyzing retries, and understanding phone ecosystem quirks.
- BLE Mesh adoption has been underwhelming, with real-world complexity often outweighing its theoretical benefits.
- Expect to see BLE turn up in more places, including MEMS sensors and energy-harvesting devices, not just consumer gadgets.
- Designers should understand trade-offs in connection intervals, latency, and power draw when choosing Bluetooth for cloud or local connectivity.
Chapters:
00:00 Episode Teasers & Intro
01:10 Meet the Guests: Bluetooth Roots at Pebble, Fitbit, and Blecon
06:51 BLE’s Breakthrough: The iPhone 4S Moment
10:22 BLE vs Classic: Why It Took Off
14:39 Specs That Shifted Everything: Packet Length, Coded PHY & LE Audio
21:41 Is BLE Still Interoperable? And Does It Matter?
28:22 The BLE Cloud Puzzle: Gateways, Phones & Golden Gate
38:40 BLE’s Sweet Spot: Power, Latency & When It Just Works
47:12 Operating BLE Devices in the Wild: What to Track & Why
57:40 Mesh Ambitions vs Reality
Follow Memfault
Other ways to listen:
If you like this episode you’ll love
Episode Comments
Generate a badge
Get a badge for your website that links back to this episode
<a href="https://goodpods.com/podcasts/coredump-sessions-668730/000-how-new-iot-security-regulations-will-shape-the-industrys-future-89143935"> <img src="https://storage.googleapis.com/goodpods-images-bucket/badges/generic-badge-1.svg" alt="listen to #000: how new iot security regulations will shape the industry's future on goodpods" style="width: 225px" /> </a>
Copy